quasar | 6fd78082c430265edca50516be2e9f41f92e85d24293fc8ed03c8d07abedfd0f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Size

415KB
MD5

09bc620f2d6e7c816de1aed1ac50f6b2
SHA1

699ec5e8aa0723f6d359ff94c04d15014752ef77
SHA256

6fd78082c430265edca50516be2e9f41f92e85d24293fc8ed03c8d07abedfd0f
SHA512

319706712c7fcc214ed550e2b0467b39fb82e8a7542693c003cea4baa6b93aa8d519e49f425ce7ee9fd266cd52413b39b1e3fc87753b5162eecbd6e37c28d788
SSDEEP

12288:94aL1A0eRy9FSsNSwJKoHt7FdRfil/f2Ru:2aSHm8WRFnfju

Score

10^/10

quasar gang persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

GANG

pedobusters.online:8008

Mutex

QSR_MUTEX_8Ol06rF6g8zh7k7Rhz

Attributes

encryption_key
ZDTfmzLsYsHj3TpPae8U
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT 3 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Set value (str)		\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GpLYFeaWKN = "C:\\Users\\Admin\\AppData\\Roaming\\sDTRwPLWdP\\TkHrLGGXmL.exe"	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
	2	ip-api.com	Process not Found
	10	ip-api.com	Process not Found

Quasar payload 9 IoCs

resource	yara_rule
behavioral1/memory/2492-10-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2492-14-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2492-12-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2492-7-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2492-6-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2684-39-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2684-40-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/492-61-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/492-62-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GpLYFeaWKN = "C:\\Users\\Admin\\AppData\\Roaming\\sDTRwPLWdP\\TkHrLGGXmL.exe"	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
10	ip-api.com

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2636 set thread context of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 112 set thread context of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 960 set thread context of 560	960	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	47
PID 1240 set thread context of 904	1240	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	53
PID 2504 set thread context of 2556	2504	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	61
PID 2776 set thread context of 1560	2776	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	67
PID 868 set thread context of 860	868	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	73
PID 2024 set thread context of 2368	2024	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
656	PING.EXE
2452	PING.EXE
1572	PING.EXE
772	PING.EXE
2852	PING.EXE
1752	PING.EXE
2472	PING.EXE
288	PING.EXE
776	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	2684	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	560	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	904	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	2556	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	1560	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	860	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	2368	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
Token: SeDebugPrivilege	768	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2092 wrote to memory of 2492	2092	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	28
PID 2492 wrote to memory of 2336	2492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2336	2492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2336	2492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	30
PID 2492 wrote to memory of 2336	2492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	30
PID 2336 wrote to memory of 2416	2336	cmd.exe	32
PID 2336 wrote to memory of 2416	2336	cmd.exe	32
PID 2336 wrote to memory of 2416	2336	cmd.exe	32
PID 2336 wrote to memory of 2416	2336	cmd.exe	32
PID 2336 wrote to memory of 2452	2336	cmd.exe	33
PID 2336 wrote to memory of 2452	2336	cmd.exe	33
PID 2336 wrote to memory of 2452	2336	cmd.exe	33
PID 2336 wrote to memory of 2452	2336	cmd.exe	33
PID 2336 wrote to memory of 2636	2336	cmd.exe	34
PID 2336 wrote to memory of 2636	2336	cmd.exe	34
PID 2336 wrote to memory of 2636	2336	cmd.exe	34
PID 2336 wrote to memory of 2636	2336	cmd.exe	34
PID 2636 wrote to memory of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 2636 wrote to memory of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 2636 wrote to memory of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 2636 wrote to memory of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 2636 wrote to memory of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 2636 wrote to memory of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 2636 wrote to memory of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 2636 wrote to memory of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 2636 wrote to memory of 2684	2636	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	35
PID 2684 wrote to memory of 1688	2684	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	36
PID 2684 wrote to memory of 1688	2684	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	36
PID 2684 wrote to memory of 1688	2684	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	36
PID 2684 wrote to memory of 1688	2684	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	36
PID 1688 wrote to memory of 1820	1688	cmd.exe	38
PID 1688 wrote to memory of 1820	1688	cmd.exe	38
PID 1688 wrote to memory of 1820	1688	cmd.exe	38
PID 1688 wrote to memory of 1820	1688	cmd.exe	38
PID 1688 wrote to memory of 1572	1688	cmd.exe	39
PID 1688 wrote to memory of 1572	1688	cmd.exe	39
PID 1688 wrote to memory of 1572	1688	cmd.exe	39
PID 1688 wrote to memory of 1572	1688	cmd.exe	39
PID 1688 wrote to memory of 112	1688	cmd.exe	40
PID 1688 wrote to memory of 112	1688	cmd.exe	40
PID 1688 wrote to memory of 112	1688	cmd.exe	40
PID 1688 wrote to memory of 112	1688	cmd.exe	40
PID 112 wrote to memory of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 112 wrote to memory of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 112 wrote to memory of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 112 wrote to memory of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 112 wrote to memory of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 112 wrote to memory of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 112 wrote to memory of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 112 wrote to memory of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 112 wrote to memory of 492	112	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	41
PID 492 wrote to memory of 1968	492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	42
PID 492 wrote to memory of 1968	492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	42
PID 492 wrote to memory of 1968	492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	42
PID 492 wrote to memory of 1968	492	09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe	42
PID 1968 wrote to memory of 324	1968	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
1⤵
- Quasar RAT
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\lNVy4PCIpFav.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ij6AL4Dbd0Bf.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RsM7dYSomu50.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        10⤵
        
        PID:324
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        10⤵
        Suspicious use of SetThreadContext
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\p86RhsltG2XR.bat" "
        12⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        
        PID:756
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        13⤵
        Suspicious use of SetThreadContext
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\jBs2CXxE3hug.bat" "
        15⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        16⤵
        Suspicious use of SetThreadContext
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\HaDkLPJJHMA0.bat" "
        18⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        19⤵
        Suspicious use of SetThreadContext
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JirE3PEtOegX.bat" "
        21⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        22⤵
        Runs ping.exe
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        22⤵
        Suspicious use of SetThreadContext
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wd9UlDNNp4Xf.bat" "
        24⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        
        PID:448
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        25⤵
        Suspicious use of SetThreadContext
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wFdAh1gsFOAI.bat" "
        27⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        28⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        29⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        29⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        29⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        29⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\09bc620f2d6e7c816de1aed1ac50f6b2_JaffaCakes118.exe"
        29⤵
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HaDkLPJJHMA0.bat

Filesize
243B

MD5
0d3ccd056b9f33b4de29f8028d1e55e1

SHA1
24bc2a7561b73061b4ce567cb94e296aecf9bbbf

SHA256
3addaa22dcd0b8b0af50ef4d2342559bbcc7f8b2ce495fc5b3c9a69a842563e2

SHA512
94f462af40bfa5ea196a3bc6aebd208f11b02ed62944467e9223a9781a33afd095be46fe6664015dc98db8d58eb11a8f2f2d4f7284d2c0cbd1ec33d7c1189d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ij6AL4Dbd0Bf.bat

Filesize
243B

MD5
b25a88d651945a71b43161fdca2b7288

SHA1
653336f43b65b38ffef388e9a13ac36f6069b779

SHA256
4d7320c78b2f7c55e6a06c8823c579782450e9bd9519823ab6852fef5aab41ea

SHA512
36c1c8105204915d3dffd15e844250f658f59326d77b667a3a3df8b0ba6239a1ebab17c30507d9f2fa2095bdf8f6b0e6d6d4cc3a8985167941359c001bb6eb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\JirE3PEtOegX.bat

Filesize
243B

MD5
cfd05fe1e09916dde0acf09737ffbe11

SHA1
e9f275d12ad3655d8def82af970a5280b894e8dc

SHA256
35fb2a79b86a48db21e75a4b2322590c4240662bdce935226b1db49dcc5f75e0

SHA512
e69b18525d2d79f98eec01129a3e220b882c505b0b314789e703fefb8bdc0fccbeb10f95b518b340e1dc18479b0e2a290f358ef3871c23e40a5942392bebc734

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsM7dYSomu50.bat

Filesize
243B

MD5
df76d475537fcc2f1e7b5e3d621717a0

SHA1
40745d2aae5fa57102bf7014e9f22bddc2cd8eda

SHA256
76e5092cf5e8ce697cd17ba611e8e74acf43b41168d2c610c63ccec1c62b1fea

SHA512
c68021f7ea499597dd15b916cb2c6a1dd8113efe6dc15d209321deeb3b5f02846b3eec75614e3f9354ada6ecd87e319d948139056d08831800315e71f9829ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBs2CXxE3hug.bat

Filesize
243B

MD5
187272e420106dc63f75d622db94875d

SHA1
e96810b0939a4e57faddf41b84ed58445e5045d3

SHA256
24f19a24f356700df3e7ffa57701b51cb110f80fe8c23a0e5c4d026172cae121

SHA512
c168b8a1d2f01f89a48baad9ac0444c26729bb17cb35d8c0b5ce17cb5dea9d55ef12d67ea599a1451e50eee1c0d8d272b3b7f0240bdda07c732423d48532570c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lNVy4PCIpFav.bat

Filesize
243B

MD5
5bb5ace4647db0e443c8436be5957b66

SHA1
b291d49bee59fd0eae3829faa346d4db44afc7ab

SHA256
ae9d751bc5febffce5d59d378c4f7563a3e1495271e7430837c70a935feba782

SHA512
8a63f6d600f253da43cf1942b751a1ccdddc0165736fef8653fab8d4f9afa3a3a6a7f5a79ccd9e0bb6a39f5857cc093bc5d9b1c23d45f8d7749687eed828cf36

Download Submit
C:\Users\Admin\AppData\Local\Temp\p86RhsltG2XR.bat

Filesize
243B

MD5
f441ebc4c1272a0b5200baff8a07d5ef

SHA1
02a975d8513a0a929c0ab83e3dd74ff3ef1d61cc

SHA256
234be673d1acec8f13eea0d0f8b3f0953f08edad9e7bf0efffb57e0e642ba698

SHA512
2f8d48ee180148cd75f6df0d0b75e2e05a14fe02c4dd33d39f85d1b62b09cbd233f41ed7cd312205aa84b039a2f626e09d4b0bbb30f5698e9be672715e7f67de

Download Submit
C:\Users\Admin\AppData\Local\Temp\wFdAh1gsFOAI.bat

Filesize
243B

MD5
75a1e9e1f3adbc8c02c3f71e2853f011

SHA1
a6b125a196387d5f8e7f99d15c0f9fec3d15b513

SHA256
3c573eda989c5e7e43f9cdc2644d8998edcf55a71943d86a14afd6edc6b223bf

SHA512
e6af7b0e6eb913c0044d6c83ef74b07d9cf85f8e9689fd5d0aa223ee7b5ffba74652d798ad54b1f99b4dd262fd63d2d885cbf6b8a19db4a95ebe7ec98492b1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd9UlDNNp4Xf.bat

Filesize
243B

MD5
8bb27ebcbfb7fc1282ede90b1edb2f98

SHA1
b67d0f45f06ff7e0e3fdf6cc1d32023fb2ef839e

SHA256
655263f7ef723fc916201f981dda336f142974f725fbcfaf45cc558ccbd5d647

SHA512
031144e53fb147d6de2aff70b3c1c66b735d4684524c7e0c46361546907672d7a68ccb393e341518b8a88df5808072278c064b776a22d3be9025573f5219b024

Download Submit
memory/112-50-0x00000000012B0000-0x000000000131E000-memory.dmp

Filesize
440KB

Download
memory/492-61-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/492-62-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/768-198-0x0000000000280000-0x00000000002EE000-memory.dmp

Filesize
440KB

Download
memory/2092-17-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2092-1-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2092-3-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2092-0-0x00000000012B0000-0x000000000131E000-memory.dmp

Filesize
440KB

Download
memory/2492-10-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2492-4-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2492-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2492-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2492-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2492-27-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2492-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-12-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2492-14-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2492-15-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2492-16-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2636-28-0x00000000012B0000-0x000000000131E000-memory.dmp

Filesize
440KB

Download
memory/2684-40-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2684-39-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download